CVE-2026-40287

HIGH

8.4

Description

PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.

CVE Details

CVSS v3.1 Score8.4

SeverityHIGH

CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published4/14/2026

Last Modified4/14/2026

Sourcenvd

Honeypot Sightings0

Weaknesses (CWE)

CWE-94CWE-426

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc(security-advisories@github.com)

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.